On that perspective I guess by default I’d think of a threat as something like “This particular team of hackers with this particular motive” and a threat model as something like “Maybe they have one or two zero days, their goal is DoS or exfiltrating information, they may have an internal collaborator but not one with admin privileges...” And then the number of possible threat models is vast even compared to the vast space of threats.
On that perspective I guess by default I’d think of a threat as something like “This particular team of hackers with this particular motive” and a threat model as something like “Maybe they have one or two zero days, their goal is DoS or exfiltrating information, they may have an internal collaborator but not one with admin privileges...” And then the number of possible threat models is vast even compared to the vast space of threats.